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Description 

BACKGROUND OF THE INVENTION 

Field of the Invention 

This invention relates to a digital signature method 
and to an information communication system. 

Related Background Art 

Computers and computer networks have recently 
come into wide use; and because of this they can be 
implemented in a manner to carry out social activity. 
However, in this situation, there is a problem of invasion 
of Individual privacy. 

One method for carrying out social activity while 
protecting privacy is that of maintaining anonymity. 

By using public key cryptography, a sender can 
send information only to an intended receiver, and the 
receiver can be certain of the identity of the sender. 

By using a technique known as "zero knowledge 
proof", it is possfole for one person who has information 
to prove to another person that he/she has certain infor- 
mation while the information itself remains confidential. 

An information communication system which uses 
such technique is described in a publication by Masahiro 
Mambo and Eijl Okamoto entitled 'A Method to Publicly 
Specify a Signer with Hiding Identity", (The 18th Sym- 
posium on I nlorrnal ion Theory and Its Applications - Oc- 
tober 1995). 

In this specification, the above described informa- 
tion communication system is referred to as the 'MO 
System". 

Also in this specification, cryptographic techniques 
such as 'Public Key Cryptography 1 , "Zero Knowledge 
Proof, "MO System 1 and "Digital Signature Method" will 
be described below in order. 

Public Key Cryptography 

Public Key Cryptography is an encryption method 
wherein each user has an individual public encryption 
key, or algorithm, which is publicly available, as well as 
an individual secret decryption key, or algorithm, which 
is kept secret. 

Public Key Cryptography has the following features: 

(1) The public key is different from the secret key; 
and key delivery is easy, since there is no need to 
keep the public key secret; 

(2) Each user's public key is open; but his own se- 
cret key is kept secret; and 

(3) It is possible to realize adigital signature function 
which establishes that the sender is not a pretender 
and that the information has not been changed. 



public key cryptography satisfies the following two con- 
ditions (in the following conditions, the encryption proc- 
ess for encrypting a message M by using a public key 
Kp is denoted as E(Kp, M); and the decryption process 
5 for decrypting the message M by using a secret key Ks 
is denoted as D(Ks, M)): 

(1 ) The encryption process E(Kp, M) can be carried 
out easily by the sender by using the receiver's pub- 

10 lie key Kp and the decryption process D(Ks, M) can 
be carried out easily by the receiver by using his 
secret key Ks. 

(2) It will be computationally difficult for anyone to 
is decrypt a ciphertext C = E(Kp, M) without the re- 
ceiver's secret key Ks, even though he/she knows 
the receiver's pubic key Kp and the encryption al- 
gorithm to encrypt a message M. 

It is also possible, with the above conditions (1 ) 
20 and (2), plus another condition (3), to cany out a 
secret communication: 

(3) For any message M, E(Kp, M) can be defined 
and 

25 

D(Ks,E(Kp, M)) = M. 

In carrying out secret communication, every- 
30 one can operate the encryption process E(Kp, M), 
. since the receiver's public key Kp has been made 
public. Also, only the person who knows the secret 
key Ks can operate the decryption process D(Ks,E 
(Kp, M)) to obtain the message M. 
35 Furthermore, the above conditions (1) and (2) 

and another condition (4) will enable authentication 
(digital signature). 

(4) For any message M, D(Ks, M) can be defined 
40 and. 

E (Kp.D (Ks, M)) = M. 

45 In authentication, only the person who knows the 
secret key Ks can operate the decryption process D(Ks, 
M) and obtain the result value S = D(Ks, M). If someone 
were to try to carry out a decryption process D(Ks, M) 
by using a false secret key Ks\ or if someone were to 

so change S = D(Ks, M) to S' = D(Ks, M)', the receiver 
would recognize that the message which the receiver 
received must be incorrect. This is because the receiver 
would check against the message M: 

55 E (Kp,D (Ks\ M)) * M; 



The encryption algorithm for the above mentioned 



and 
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E (Kp, D (Ks, M)') * M. 

Public key cryptography which can bo used lor both 
secret communication and authentication includes 
•RSA Cryptography", which is described in a paper writ- 
ten by R.L Rivest, A. Shamir and L. Adleman, entitled 
■A Method of Obtaining Digital Signatures and Public 
Key Cryptosystems', published in Communications ol 
ACM, vol. 21, no. 2, pp. 120-26, 1978; and "EIGamal 
Cryptography \ which is described in a paper written by 
T.E. EIGamal, entitled "A Public Key Cryplosystem and 
a Signature Scheme Based on Discrete Logarithms:, 
published in IEEE Transactions on Information Theory, 
vol. IT-31 , no. 4, pp. 469-72, 1 985. 

Public key cryptography which can be used for au- 
thentication ncludes the a Fiat-Shamir signature 
scheme, ■ which Is described in a paper written by A. Fiat 
and A. Shamir, entitled "Howto Prove Yourself; Practical 
Solutions of Identification and Signature Problems," 
published in Proc. ol CRYPTO '86, 1987; and the 
■Schnorr signature scheme," which is descrbed in a pa- 
per written by CP. Schnorr, entitled 'Efficient Signature 
Generation by Smart Cards," published in Journal ol 
Cryptotogy, vol. 4, pp. 181-174, 1991. 

These techniques are also described in a book by 
Bruce Schneler, entitled "Applied Cryptography. Proto- 
cols, Algorithms, and Source Code In C (second edi- 
tion), published by John Wiley & Sons, Inc., which in- 
cludes a broader and more detailed explanation of cryp- 
tography. 

Zero Knowledge Proof 

Zero Knowledge Proof means that a prover proves 
a proposition to a verifier under the following conditions: 

{1 ) Completeness: If the proof is correct, the verifier 
accepts It with overwhelming probability, namely, 
nearty 100%; 

(2) Soundness: If the proof is not correct, the verifier 
rejects it with overwhelming probability, namely, 
nearty 100%. 

(3) Zero Knowledge: If the proof Is correct, the prov- 
er does not release any information aboutthe secret 
knowledge but only the correctness of the proof. 

Several methods of Zero Knowledge Proof have 
been proposed, in which a prover having a secret can 
prove to a verifier that the prover knows the secret with- 
out revealing any information about the secret. Since 
these methods are applied to identification and/or digital 
signature schemes, Zero Knowledge Proof is consid- 
ered to be a basic technique in the field of information 
security. 

MO System 

The MO system, as applied in connection with the 
above described Public Key Cryptography and Zero 



Knowledge Proof, will be described with reference to 
Fig. 1 . This MO system consists of a specifier, a plurality 
of users; a signer who is specified by a user; and a ver- 
ifier who verifies the signature of the specified signer. 
5 In Fig. 1 , "Public Information 1 means common data 
in the system, "Public Database" means an Issued da- 
tabase, and each arrow represents the sending, receiv- 
ing and obtain ing of data. Numbers enclosed in brackets 
represent the order ol procedure. 

10 

Step 0 - Preparation 

The following notations and definitions are'used in 
the specification. These notations are from elementary 

is number theory relating to integers. Let Z be the set ol 
integers, that is {...,-2, -1, 0, 1, 2, ...}, Z p be {0, 1 , .... p- 
1 }, and Zp* be the set of integers which are elements in 
Z p and relatively prime to p. For any integer a and any 
positive Integer n, there are unique integers q and r such 

20 that 0 5 r < n and a = qn + r. The value r = a mod n is 
the remainder (or residue) of the division. a = b (mod n) 
means that (a mod n) = (b mod n). the order of a in 
Is defined as the least integer I > 0 such that a 1 = 1 (mod 
P). 

25 First, prime numbers p and q, an element a in Z£ 
of order q, and a hash function h are prepared, where 
ql (p-1) (i.e., q divides p-1), a* = 1 (mod p), and h : Z p 
X {0, 1, .... 2M}, where t is a security parameter. 
These numbers are registered and managed so that 

30 each user can access the numbers in a manner such 
that they are not changed. 

A specifier i generates a public key v f and a secret 
key Sj (V| = aW mod p) and registers the public key v, 
into a public database. A user j, who can be a signer, 

35 generates a public key Vj and a secret key Sj(Vj = aN 
mod p) and registers the public key v ( in the public da- 
tabase. A plurality of users and signers can exist in this 
system. 

40 step 1 - Specifying and Making Known the User 

The specifier I specifies a user, namely a signer j, 
from several users (denoted arrow 101 In Fig. 1) and 
obtains Zj which is converted from the public key Vj of 
45 the signer j by using a random number. The specifier i 
obtains a signature (signature by Schnorr signature 
scheme) on Zj (procedure (1) In Fig. 1), and registers 
that signature into the public database (arrow 102 in Fig. 

1). 

so in actuality, the specifier i selects a secret random 
number r 2^* and obtains the following parameters, by 
using the following equations. The specifier I then reg- 
isters the signature ((y jp ej, Xj), Zj): 

55 r 

Xj = a mod p; 
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and 



Zj = (Vj) r mod p; 



ej = h(x j( zp ; 



Yj = r + 8| < &j mod p. 



Step 2 - Picking Up the Data 

The user j picks up the registered signature from 
the database (procedure (2) and arrow 103} and con- 
firms whether or not the signature (ty, ej, Xj), Zj) is that 
of the user, by checking the following equations: 



is 



and 



ej = h(a 1 -(Vj) 1 modp.Zj) 



z j = 0Cj) modp 



(1): 



20 



(2). 25 



Any user can confirm the above equation (1 ). 
Furthermore, the signer | can confirm the above equa- 
tion (2), and can recognize that the signer j has been 
specified by the specifier i. 

On the other hand, another user k(* j) can, by using 
his own key Sk, recognize that the equation (2) is not 
valid, because Sk * Sj. But the user k can not recognize 
who is specified, since the user k will not know which 
user's key makes equation (2) valid. 

Step 3 - Generation of the Signature 

The signer j makes his signature on a message M 
based on the following formulas: 

x1=a {rj} modp; 



and 



x2 = (Vj) mod p. 

Then the signer j obtains the following parameters 
e' and y as follows: 



30 



35 



40 



45 



e' = h (x2, m) ; 



so 



55 



and 



y = - Oj-e 1 ) Sj mod q. 



Next, the signer j sends the parameter ((y jl e iJ x j ),Zj, 
5 (y,e\x1 ),m) as his signature to an intended person (pro- 
cedure (3) and arrow 104). 

Step 4 - Verification of the Signature 

10 The verifier, in the first instance, confirms the above 
equation (1) as well as the following equation: 



e^hfZj, a -(v,) modp). 
The verifier then confirms the following equation: 



e' = h(m,x2) 



x2 = a y • (V|) {e,J mod p 



(3) 



The signer j then executes Zero Knowledge Proof 
with the verifier for proving the following equation (pro- 
cedure (5) and arrow 105 In Fig. 1): 



2 " " S j- 



If the Zero Knowledge Proof is correct, the verifier 
can conclude that the signature on the message M was 
signed by the signer j. 

In the above MO system, it is assarted that a spec- 
ifier i specifies a signer j, and the specified signer j can 
generate his digital signature anonymously. In addition, 
the verifier who receives this signature will recognize 
that a signer ] who was specified by the specifier i has 
generated the signature, bul the verifier will not know 
the specific identity of the signer j. 

Because of this feature, the MO system is especial- 
ly applicable for the provision of welfare services and for 
audience rating investigations. In these cases, the oc- 
currence of a request for a welfare service or the sub- 
mission of an audience reaction is publicly verified by 
everyone. Nevertheless, the person making the welfare 
request or submitting the audience reaction remains 
anonymous. These statements are asserted in the pub- 
lication by M. Mambo and E. Okamoto entitled 'A Meth- 
od to Publicly Specify a Signer With Hiding Identity", cit- 
ed above. 

Digital Signature Method 

A description of the Digital Signature Method in re- 
lation to Public Key Cryptography and Zero Knowledge 
Proof is given in a paper entitled "Group Signatures' by 
D. Chaum and E. van Heyst, Proc. of EUROCRYPT '91 , 
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pp. 257-65 (1991 ). This method, which is relerred to as 
•group signature 1 , has the following features: 

(1 ) Only members of the group can sign messages; 

(2) The receiver of the signature can verify that it is 
a valid signature of that group, but cannot discover 
which member of the group made it; and 

(3) In the case of a dispute later on, the signature 
can be "opened" (with or without the help of the 
group members) to reveal the identity of the signer. 

The above-mentioned group signature is applicable 
to a bidding, ortender, system. In the tender system, the 
set of bidders forms a group, and each member makes 
a group signatu re on a message indicating the price, etc. 
The Identity of the highest bidder is revealed but the re- 
maining bidders are anonymous. 

The known MO system has been subject to the Id- 
lowing problems: 

1. The MO system requires the public key of the 
specified signer when a signature is verified, al- 
though the signer made the signature anonymously. 
That is, the anonymity of the signer is not complete- 
ly preserved. Furthermore, once the verifier con- 
firms the signature, a plurality of communications 
between the verifier and the signer are still required; 
and 

(2) The MO system is based on the assumption that 
the system is Implemented over a network which 
can hide the identity of a sender/receiver who has 
a plurality of communications. Such a network is 
more expensive than a simple network which can 
hide the identity of a sender who makes only one 
transmission of a message. 

There are four kinds of group signature methods In 
the above mentioned paper by Chaum et al.; one of 
them requires a special authority to open a group sig- 
nature and others do not; it is easy to add a new member 
in another of the four, while it is not in the others; and 
each method has the same problem, namely, that the 
size of the public key of a group is linear in relation to 
the number of members. In another group signature 
method, which is described in a paper entitled P A Prac- 
tical Group Signature" by S.J. Park, I.S. Lee and D.H. 
Won, published In Proc. of the 1 995 Japan-Korea Work- 
shop on Information Security and Cryptobgy, IV- 
3.00127 and pp. 127-33 (1995), the size of the public 
key of a group does not grow linearly with the number 
of members. In this method it is easy to add new mem- 
bers. However, this method always requires a special 
authority in order to open the signature. 



SUMMARY OF THE INVENTION 

This invention is made in this consideration of the 
above circumstances; and it is an object of the invention 
5 to provide a digital sigjiature method and information 
communication system which can solve the above prob- 
lems. 

According to one aspect ol the invention, there is 
provided a digital signature method which comprises a 
io first step for generating public information based on a 
common public parameter and an uncommon secret pa- 
rameter, a second step for converting the common pub- 
lic parameter and the public information, a third : step for 
making a signature based on the common pub lb param- 
is ater, the public information, and the uncommon secret 
parameter, and a fourth step for confirming the relation- 
ship between the signature and the corresponding mes- 
sage based on the converted public information and the 
converted common public parameter. 
20 According to another aspect of the invention, there 
is provided an Information communication system which 
comprises a means for making or generating a digital 
signature based on a digital signature method and a 
means for confirming whether or not a signature was 
25 generated by the generating means. 

According to another aspect of the invention, there 
is provided an information communication system which 
comprises a specifying means for specifying a signatu re 
generating means by means of a first signature method, 
so a means for obtaining a base and a public key by using 
a second signature method, and a generating means tor 
making or generating a digital signature by using the 
base and the public key based on the first signature 
method, wherein the digital signature proves the signa- 
ls ture generating means which has a secret key corre- 
sponding to the public key generated by the means for 
obtaining the base and the public key. 

According to another aspect of the invention, there 
is provided an information communication system which 
40 comprises a means for generating a first digital signa- 
ture based on a first digital signature method, a means 
for generating a second digital signature by using the 
first digital signature based on a second digital signature 
method, and a means for confirming the authenticity of 
45 the second digital signature by using the first digital sig- 
nature and the second digital signature. 

According to another aspect of the invention, there 
is provided a computer readable memory having the fol- 
lowing program codes: a first program code for gener- 
so ating public information based on a common public pa- 
rameter and an uncommon secret parameter; a second 
program code for converting the common public param- 
eter and public information; a third program code lor 
generating a signature based on the common public pa- 
ss rameter, the public information, and the uncommon se- 
cret parameter; and a fourth program code for confirm- 
ing the relationship between the signature and the cor- 
responding message based on the converted public in- 
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formation and tha converted common public parameter. 

According to another aspect of the invention, there 
is provided a computer readable memory having follow- 
ing program codes: a specifying program code tor spec- 
ifying a signature generating means by using a first sig- 
nature method; a base and public key obtaining program 
code for obtaining a base and a public key by using a 
second signature method; and a digital signature gen- 
erating program code for generating a digital signature 
by using the base and the public key based on the first 
signature melhod, wherein the digital signature proves 
the signature generating program code which has a se- 
cret key corresponding to the pubic key generated by 
the base and public key obtaining program code. 

According to another aspect of the invention, there 
is provided a digital signature method which comprises 
a step for generating a digital signature by a group mem- 
ber, a step for confirming, by using a public key of the 
group, whether or not the digital signature has been gen- 
erated by group member, and a program code for re- 
vealing a member who has generated the digital signa- 
ture. 

According to another aspect of the invention, there 
is provided a computer readable memory having the fol- 
lowing program codes: a program code for generating 
a digital signature by a group member; a program code 
for confirming, by using a public key of the group, wheth- 
er or not the digital signature was generated by group 
member, and a program code for revealing the member 
who generated the digital signature. 

According to another aspect of the Invention, there 
is provided a digital signature method h which the public 
key of a member conriprises the result of an exponential 
operation with a base and the secret key of the member 
as an exponent. This method comprises: a first step tor 
generating a second base by performing a first expo- 
nential operation with a first base and a random number 
as an exponent; a second step for generating a second 
public key by performing a second exponential opera- 
tion with a first public key and the random number as an 
exponent; a third step for generating a first digital sig- 
nature on a message by using the secret key of a user; 
and a fourth step tor confirming the authenticity of the 
first digital signature by using the second base and the 
second public key. 

According to another aspect of the invention, there 
is provided a further digital signature method In which 
the public key of a member comprises the result of an 
exponential operation with a base and the secret key of 
the member as an exponent. This method comprises: a 
first step for generating a second base by performing an 
exponential operation with a first base and a random 
number as an exponent; a second step for generating 
a second public key by performing an exponential oper- 
ation with a first public key and the random number as 
an exponent; a th ird step for generating a first digital sig- 
nal u re on a message by using a secret key of a user, a 
fourth step for confirming the authenticity of the first dig- 



ital signature by using the second base and the second 
public key; a fifth step for generating a second digital 
signature corresponding to the second public key by a 
special user; and a sixth step for revealing a signer 

s based on a third signature which is generated based on 
the first and second digital signatures. 

According to another aspect of Ihe invention, there 
is provided a computer readable memory having pro- 
gram code for information communication in which a first 

10 public key of a member is the result of an exponential 
operation with a first base and an exponent comprising 
a secret key of the member. The memory contains the 
following program codes: a first program code fbr gen- 
erating a second base by performing an exponential op- 

»5 e ration with the first base and a random number as an 
exponent; a second program code for generating a sec- 
ond public key by performing an exponential operation 
with the first public key and the random number as an 
exponent; a third program code for making a first digital 

20 signature on a message by using a secret key of a user, 
a fourth program code for confirming the authenticity of 
the first digital signature by using the second base and 
the second public key; a fifth program code lor making 
a second digital signature corresponding to the second 

2& public key by a special user; and a sixth program cods 
for revealing a signer based on a third signature which 
is made based on the first and second digital signatu res. 



30 



BRIEF DESCRIPTION OF THE DRAWINGS 

Fig. 1 is a block diagram showing the MO system; 



Fig. 2 is a block diagram showing an embodiment 
of a communication system according to the 
35 present Invention; 

Fig. 3 is a flow chart of digital signature procedure 
used In the present invention; 

40 Fig. 4 is a memory map of the embodiment of Fig. 2; 

Fig. 5 is a second memory map of the embodiment 
of Fig. 2; 

45 ng. 6 is a block diagram showing another embodi- 
ment of the present invention; 

Fig. 7 is a flow chart for the embodiment of Fig. 6; 

so Fig. B is a block diagram showing a signature sys- 
tem according to the present invention; 

Fig. 9 is a block diagram showing a group signature 
system according to the present invention; 



55 



Fig. 1 0 is a flow chart for the system shown in Fig. 9; 
Fig. 11 is a memory map of the embodiment of Fig. 
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9; and 

Fig. 1 2 is a second memory map o1 the embodiment 
cl Fig. 9; 

DETAILED DESCRIPTION OF THE PREFERRED 
EMBODIMENTS 

Several embodiments ot this invention will be de- 
scribed hereinbelow with reference to the Figures. 

The digital signature ot the first embodiment is 
based on discrete logarithms. In tfiis embodiment a se- 
cret key is not changed but a public key and the base 
are changed by an exponential operation which uses a 
random number as an exponent. 

In this embodiment an ordinary (non-Interactive) 
digital signature scheme is used, whereas a digital sig- 
nature scheme based on Zero Knowledge Proof is used 
in the MO system. 

The information communication system of this em- 
bodiment, which has above described features, Is able 
to maintain the anonymity of a signer, since a verifier 
can verify the signer's signature without using the public 
key of the signer. 

In this embodiment, the number of required com- 
munications and operations which accompany each 
communication can be decreased, since the verifier can 
verify the signature of ihe signer without using Zero 
Knowledge Proof inwhichapluralityof commun ications 
is needed. All that is needed is one communication to 
send the signer's signature to the verifier. 

In addition, this system can operate in a simple and 
inexpensive network. 

First Embodiment 

Fig. 2 shows an information communication system 
as applied for carrying out a digital signature method ac- 
cording to a first embodiment of the invention. Fig. 3 is 
a flow chart which shows the operations performed in 
connection with the digital signature method. The first 
embodiment will be described with reference to Fig. 2 
and Fig. 3. 

Step 0 - Preparation 

At first, prime numbers p and q such that ql(p-1 ), an 
element a in Z* of order a, and a one-way hash function 
h : Z p X Z-» {0 2< K| )) fi are prepared. These num- 
bers, which comprise a common public parameter, are 
registered and managed so that every user can access 
them and so that they cannot be changed. 

The specifier i generates a public key v, and a secret 
key Sj(v, = a^iJmod p) and registers the public key v, in 
the public database. The user ], who can be a signer, 
generates a public key Vj and a secret key Sj(Vj = a<^ 
mod p) ; and registers the public key Vj into a public da- 
tabase. A plurality ol users and signers can exist in this 



system. 

Step 1 - Specifying a User 

5 The specifier i specifies a user (signer) j, from the 
several users (arrow 201 in Fig. 2); and obtains Zj which 
is converted from the publ ic key Vj of the signer ) by usln g 
a random number. The specifier then gets a signature, 
tor example by Schnorr signature scheme (procedure 

'0 (1) in Fig. 2), and registers that signature as public in- 
formation into the public database (arrow 202 in Fig. 2) . 

More concretely, the specifier i selects a secret ran- 
dom number r from Zqt and obtains the following pa- 
rameters by using the following equation, and registers 

1& the signature ((y jp ej), Zj) : 

x, = a J modp; 



z, = (Vj) modp; 
Oj = h(x,, Zj); 

25 

and 

y^ =■ rj + 6j ■ 3 ( mod p. 

30 

Step 2 - Picking Up the Data 

The user (signer) ] confirms whether or not the sig- 
nature ((yj t ep,Zj) is for the user based on the database 
3S by checking following equations (procedure (2), arrow 
203 in Fig. 2): 

6j = hfa^ - {v^ mod p, z,) (4); 

40 

and 

z, = (a^ 1 - ( V| ) <e|) mod p)**' 1 mod p (5). 

45 

Thereafter, aMJ • (V|)W mod p will be denoted as x jp 
since the following equation Is valid: 

so a 1 - (v,) 1 modp = Xj. 

Any user can confirm the above equation (4). 

Furthermore, the signer i can confirm the above 
equation (5); and recognize that signer i has been spec- 
55 ified as the signer. 

On the other hand, another signer can recognize 
that the equation (5) is not valid by using his own key. 
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However, such other signer can not recognize who has 
been specified, since the other signer does not know 
which key of user made the equation (5) valid. 

Step (3) - Generating the Signature 

The signer j makes his signature on a message m 
(j) based on the followhg formulas; and the signer se- 
lects a secret random number (J) and carries out the Id- 
lowing equations: 

{'i> 

x(j) = (Xj) mod p; 
e(D=h(x(j), m(D); 

and 

y(D = rfi) + gQ) • Sj mod q. 

Next, the signer j sends the parameter (((yj, ej), zj), 
((yO). eO). mfl))) as his signature to an intended person 
(procedure (3) and arrow 204). 

Step 4 - Verifying the Signature 

The verifier confirms the above equation (4) as well 
as the following equation (procedure (4) in Fig. 2): 

e(j)=h(x j ya) .z j 6<D modp,m{i)). 

11 the above is correct, the verifier can conclude that 
the signature tor the message mG) was signed by the 
signer who was specified by the specifier i. 

Here, we explain the notion ot public key certifi- 
cates. A trusted user, called the certification authority 
(CA), makes a signature on a message indicating the 
public key or a user, the identity of the user, and all the 
validation date, etc. The digital signatures by CA are 
called "public key certificates." If one needs to confirm 
a public key of a user, then one can verify the authen- 
ticity by confirming the public key certificate by means 
of the public key of CA. 

In this embodiment the digital signature made by 
the specifier on a (converted) public key of user is con- 
sidered as a kind of public key certificate. The difference 
from the ordinary public key certificate Is the anonymity 
of the certificate user. 

It will be appreciated that the signature ((y jp ep, Zj) 
on z j( whish is converted from Vj of the public key of the 
signer j, is called an anonymous public key certificate. 
The notion and precise description ol anonymous public 
key certificates are set out later. 

In this embodiment, each procedure of the signer, 
specifier and verifier will be carried out in the same ap- 



paratus which has a capability for operation and com- 
munication like a personal computer Also, communica- 
tions between the signer, the specifier and the verifier 
can be carried out by using a public database and a 
5 service 1or anonymous communication on a network 
such as the Internet 

The information communication system with digital 
signature of this embodiment will be carried out by the 
above described information processing apparatus 
10 which is capable of executing each of the above steps. 
The network used with this embodiment does not 
have to be the Internet. A so called 'intranet' can be 
used as well. ; 

In this embodiment, the anonymous public key cer- 
ts tificate may be sent directly from the specifier to the sign- 
er, so long as 11 Is not necessary for each user to confirm 
the specifier's specification. 

As mentioned above, since the information commu- 
nication system of this embodiment does not need the 
20 public key of the signer, the anonymity of the signer can 
be maintained. 

Also, since a plurality of communications between 
the verifier and signer are not required, the system can 
be implemented over a simple and less expensive net- 
25 work then that ol MO system. Therefore the proposed 
system can be constructed at low cost. 

In addition, since the number of communications 
and operations is decreased, It becomes easier tor the 
user. 

30 

Second Embodiment 

The second embodiment of this invention, which is 
shown in Figs. 6 and 7, will now be descrbed. 
35 Those parts of this embodiment which are the same 
as in the first embodiment will be omitted from the fol- 
lowing description. 

Instead of the Schnorr signature scheme, the digital 
signature used in this embodiment will be EIGamal cryp- 
40 tography, which is described In "A Public Key Crypto- 
system and a Signature Scheme Based on Discrete 
Logarithms' byT.E. EIGamal (IEEE Transaction Theory, 
vol. IT-31, no. 4, pp. 469-72, 1985). 

45 step 0 - Preparation 

This step is the same as step 0 of the first embodi- 
ment. 

so step 1 - Specifying a User 

This step is the same as Step 1 of the first embod- 
iment. 

ss step 2 - Picking Up the Data 

This step is the same as step 2 of the first embodi- 
ment. 
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Step 3 - Generating the Signature 

A signer j generates his signature lor a message m 
(j) based on the following formulas. Also, the signer j 
selects a secret random number k(j) from Zq$ and car- 
ries out the following equations: 

rQ)=(x,) Wi)} modp; 

and 

1(i) = {mO) + Q, - r(i)} • kfl)* 1 mod (p - 1). 

Next, the signer j sends the parameter (((yj,ep,Zj), 
((rQ), 1(l)).m0))) as his signature to a specified person. 

Step 4 - Verification of the Signature 

The verifier confirms the above equation (4) and the 
following equation: 

ec,)^-(^) TO -i(D OT (mocJp). 

If the above equation Is correct, the verifier can con- 
clude that the signature for the message m(j) was signed 
by a signer who was specified by the specifier i. 

Third Embodiment 

The third embodiment of this invention will be de- 
scribed next. 

Those parts of this embodiment which are the same 
as thefirst embodiment will be omitted from the following 
description. 

DSA, which is proposed as the standard of digital 
signature, and which is described in Bruce Schneier, 
'Applied Cryptography: Protocols, Algorithms, and 
Source Code", second edition, John Wiley & Sons, Inc., 
is used for the digital signature in this embodiment. 

In this embodiment, p.q^.Zj are used as public key, 
and 6j is used as secret key. 

Step 0 - Preparation 

This step is the same as step 0 of the first embodi- 
ment. 

Step 1 - Specifying and Making Known the User 

This step is the same as step 1 of the first embodi- 
ment. 

Step 2 - Picking Up the Data 

This step is the same as step 2 of the first embodi- 



ment. 

Step 3 - Generation of the Signature 

5 The sigjier makes his signature on a message m(j) 
based on the following formulas. The signer ) selects a 
secret random number k(j) from Zqf ; and carries out the 
following equations: 

10 rO) = «x j ) {k0)1 modp)modq; 

and 

75 fQ) = k(i) { ' 11 - <h(m(l))*| . r(j)) mod q. 

Nexl, the signer J sends the parameter (((yj.ep.Zj), 
((rQ), f(i),m(j)» as his signature to a specified person. 

20 

Step 4 - Verification of the Signature 

The verifier confirms the above equation (4), 0 < r 
0) < q, 0 < ffj) < q and the following equations: 

w = f (j*)" 1 mod q; 

„ u1=h(m(j))-wmodq; 



u2 = rfj) - w mod q; 

3S and 

v = ((Xj)*" 1 * - [z^ mod p) mod q. 

40 if the above equations are correct, the verifier can 
conclude that the signature on the message m(j) has 
been made by a signer who was specified by the spec- 
ifier i. 

45 Fourth Embodiment 

The fourth embodiment of this invention will now be 
described. 

Those parts of th is embodiment which are the same 
so as in the previous embodiment will be omitted from the 
following description. 

in this embodiment, the above mentioned EIGamal 
cryptography is used for generating an anonymnous 
public key certificate of Zj instead of the Schnorr signa- 
55 ture scheme. 

Nevertheless, it should be noted that the following 
equations must be valid: 
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Mora concretely, the specifier i selects a secret ran- 
Xj = a" 1 ' mod p; number rj Irom and carries out the following 

equations: 



and 



z j = (v | ) mod p. 



Xj = a 1 modp; 



{r,} 

More concretely, the specifier i selects a random z j = ( v j) mod pl 

number rj from and carries out the following equa- io 
tions: and 

j 

*j = a <r|) mod p; ' j = (r,) H1 ■ M*,)*, ■ *j) mod tl- 

(r j Again in the embodiment, the parameter ((Xj,1j),Zj) 

Zp (Vj) 1 mod p; Is the anonymous public key certificate. 

The authenticity of certification of the public key will 
and be proved by confirming 0 < Xj < p, 0 < fj < q and the 

20 following equations: 

f, = (z | + 8 | .itp-(r I ) { " 1, mod(p-1) 

1 1 ' ' w=(f j ) {1} modq; 

Also in this embodiment, the parameter ((xj,fj),Zj) is 
the certification o1 the publfc key. « u1 = h(z ) • wmodq; 

The authenticity of the anonymous public key certi- J 
fice is proved by confirming the following equations: 



^-^^(^(modp); jo 



and 



and 



Zj = (Xj) modp. ss 

The authenticity of the anonymous public key cer- 

Fifth Embodiment tificate is proved by confirming the following equation: 

The fifth embodiment of this invention will be de- M • 

scribed next. 40 *J = (*,) mod P" ^ 

Those parts of this embodiment which are the same 
as in the previous embodiment will be omitted from the As described above, this invention provides a digital 

following description. signature method which maintains the anonymity of the 

In this embodiment, the above described DSA is signer, 
used for generating an anonymous public key certificate 45 In a system using this invention, the numberof com- 

of Zj instead of the Schnorr signature scheme and the municatlons is decreased; and correspondingly, the 

ElGamal cryptography. number of operations is also decreased. 

Nevertheless, it should be noted that the following This system can be utilized on a simple and tnex- 

equations are valid: pensive network which only requires maintaining ano- 

50 nymity with respect to one transmission of a message; 

( r ) and the system does not require an expensive network 

Xj =a mod p; which requires maintaining anonymity with respect to 

many transmissions of message(s) from/to a user. 



u2 = X| • wmodq; 



v = a tlrt, .( V| ) w modp. 



and 



55 The Sixth Embodiment 

Zj ~ (Vj) mod p. The digital signature method of this embodiment is 

based on anonymous public key certificates. The meth- 
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od is used for group signatures. In this embodiment, the 
specifier is a trusted authority ZA, specified signers are 
members, and a digital signature based on an anony- 
mous public key certificate Is a group signature. 

The anonymous public key certificates have the tal- 
lowing leatures: 

1 . The certification authority (CA) converts, using a 
random number, the common public parameter and 
the public key of the certificate user. CA makes a 
signature on the converted public key. 

2. Since the same relationship holds between the 
converted public key and the original public key with 
respect to the secret key, the certificate user can 
make a signature on a message using the anony- 
mous public key certificates and the secret key. 

3. The receiver who received the anonymous public 
key certificates and the signature by the certificate 
user can verify that the converted parameter and 
public key are certified by CA. Using Ihe certified 
parameter and pub lie key, the verifier also verify that 
the digital signature on the message is genuine. 

4. We call the anonymous public key certificates by 
CA, together with the signature by the correspond- 
ing user, an anonymous signature because it Is hard 
to identify the signer from the signature. 

As mentioned above, the specifier Is the authority 
ZA and the user who is specified by the specifier (i.e., 
the signer) is the member. Thus the public key of the 
specifier is the public key of the group, and the anony- 
mous signature by the signer is the group signature. 

Next, the method to reveal a signer will be de- 
scribed. 

The authority ZA can record the relationship be- 
tween the members and the certificate. Therefore, the 
authority ZA can identify the signer of a group signature. 

On the other hand, it is possible to confirm whether 
or not a particular member is the signer by checking the 
equality of the secret key which is used for the group 
signature and the secret keys of each of the members. 
Accordingly, it is possible to obtain the Identity of the 
signer by requesting the proof of inequality of each 
member. This is because it is possible to prove that the 
secret key of each member who is not the signer is dif- 
ferent from the secret key which used for the group sig- 
nature. 

Anonymous public key certificates will now be de- 
scribed, followed by a description of the group signature 
with which it is utilized. 

Anonymous Public Key Certificates 

Anonymous public key certificates will be described 
with reference to Figs. 6 and 7. 

The system of anonymous public key certificates 
consists of a certiflction authority, a plurality of users, a 



certificate user who utilizes an anonyumouis public key 
certificate and a verifier who verifies the signature of the 
certificate user. 

This system is utilized with a network over which 

5 identifying the sender or the receiver of communiclaion 
is difficult. (In this specification, such a network will be 
called an "anonymous communication network'.) 

In Fig. 6, the term "Public Information 1 means a 
common database in the system and the term "Public 

10 Database' means an issued database. The arrows in 
Fig. 6 representthe sending, receiving and obtaining ol 
data and the numbers enclosed in brackets represent 
steps in an order of procedure. The term ■use?' refers 
to the particular one of the users who utilizes an anon- 

is ymous public key certificate. The term Verifier 1 refers 
to the person who verifies the signature made by the 
user 

Step 0 - Preparation 

20 

At first, prime numbers p and q such that ql(p-1 ), an 
element a of Z p * of order q (i.e., a* - 1 (mod p)) and a 
one-way hash function h : Z p x Z-> {0, 20- 1 )}, are 
prepared. These numbers are registered and managed 

25 so that every user can access them and so that they 
cannot be changed. 

The certification authority i generates a public key 
v, and a secret key S|(V| = a^ mod p) and registers th e 
public key v, into the public database together with the 

so identity. The user j, who can be a signer, generates a 
public key v ( and a secret key Sj(v, = a&f mod p) ; and 
registers the public key Vj into a public database together 
with the identity. A plurality of users and signers can ex- 
ist in this system. 

35 

Step 1 - Issue of Certificate 

The certification authority i specifies a user (signer) 
j, from the several users (arrow 1 01 in Fig. 1 2); and ob- 

40 tains Z| which is converted from the public key Vj of the 
signer j by using a random number. The certification au- 
thority then makes a signature on that, for example us- 
ing the Schnorr signature scheme (procedure (1 ) in Fig. 
1 ), and sends that signature to the user j (arrow 102 in 

« Fig. 1). 

More concretely, the certification authority i selects 
a secret random number r from and obtains the fol- 
lowing parameters by using the following equation, and 
registers the signature ((Vj, e^ Xj), Zj): 

so 

Xj = a 1 modp; 

55 Zj = (v,) mod p; 

e l = h (^ , Zj) ; 
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and 



= fj + • Sj mod p. 



Step 2 - Generation of the Signature 

The user j receives the signature (ty, ep, Zj) and 
confirms the following equations: 



certification authority. 

The above described anonymous public key certif- 
icates have following features: 

(1 ) Only the certification authority can specify the 
user j, and the proof of specification is the certificate 
(digital signature generated by the certification au- 
thority i); 



e, = h(a 1 -ty) modp.Zj) 



and 



2j = (a J .(v,) 1 modp) 1 modp (7). 

The user j makes his signature on the message m 
(j) based on the following formulas; and the user j selects 
a secret random n umber (j) and carries out the following 
equations: 

Xj = a - (v,) mod p; 



x© = ty OT, rnodp; 



10 (2) The specified signer can anonymously generate 
the signature by using the certificate and the secret 
( 6 )l key of the signer, 

i 

(3) The receiver can confirm the authenticity of the 
* s anonymous signature by using the public key of the 
specifier i; and 
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e()) = h(x(i),m(])); 



and 



y(D = + ■ ^ mod q. 

Next the user j sends the parameter ((yj.e^Zj), ((y 
(j).e(i)),mQ))) as his signature to an intended person 
(procedure (3) and arrow 103 in Fig. 1 ). 

Step 3 - Verification of the Signature 

The verifier first confirms the above equation (6) 
and the following equation (procedure (4) in Fig. 1): 



Xj =a 1 .(v,) 1 modp; 



and 



a(D = h ((Xj)^ • (zp {e(D} mod p,m (j)) . 

if the above is correct, the verifier can conclude that 
the signature on the message m(j) is that of a user j who 
received an anonymous public key certificate from the 



(4) It will be very difficult to distinguish the signer j 
by use of the anonymous signature, and forgery of 
20 the anonymous signature is very difficult. 

Group Signature Based on Anonymous Public Key 
Certificate 

The system of group signature based on anony- 
mous public key certificate Is shown in Fig. 8. in this sys- 
tem a plurality of users can anonymously communicate 
each other over an anonymous communication net- 
work. 

In this system there is a public database which can 
be accessed by the trusted authority ZA and users 1, k, 
v The public keys of each of the users and the common 
parameter are registered with the database. This data- 
base is property managed so as to prevent unfair action 
35 such as alteration. 

In Fig. 8 the group public key is denoted as v^. 
The group consists of members including users j and k. 
The users ] , k, obtain anonymous public key certificates 
(fy 3j> Zj) (Yip °k» 2k) which are issued by the authority 
40 ZA, respectively, and they each generate a signature 
part (e.g., (y(j), e(j), m) for user j) based on their own 
anonymous public key certificates. The users send the 
group signature (ty, z) t yfl), e(j), z(J)) to another user 
v over the anonymous communication network. 
45 The user v verifies the anonymous public key cer- 
tificate (yj, e jf Zj) by using the group public key Vp^ and 
obtains certified values. The user v can confirm the au- 
thenticity of the group signature by verifying y(j), e(j), z 
(j) with these values. 
so Next a concrete embodiment will be described with 
reference to Figs. 9 and 10. 

Fig. 9 shows the system which is applied to group 
signature based on anonymous public key certification. 
Fig. 10 shows the flow chart of a procedure related 
55 to the method of group sic/iature. Figs. 11 and 12 are 
memory maps for the system of Fig. 9. In this system, 
the user ] who receives an anonymous public key cer- 
tificate from the authority ZA generates the group sig- 
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nature, and the verifier, who receives the group signa- 
ture, confirms it as the group signature. 

Step 0 - Preparation 

This is the same as Step 0 previously described. 

Step 1 - Issue of Certificates to Members 

The authority authorizes the user as a member of 
the group; and obtains Zj which is converted from the 
public key Vj of the signer j by using a random number 
rj. The authority also makes the signature using the 
Schnorr signature scheme (procedure (1 ) In Fig. 9) and 
sends the signature directly to the user j (procedure (2) 
and arrow 402 In Fig. 9). 

In a concrete example, the authority ZA selects a 
secret random number r Irom ZJ and obtains the fol- 
lowing parameters by using the following equation, and 
sends the certificate (ty, Zj) : 

Xj = a 1 mod p; 



Zj = (v ( ) modp; 



Oj = h (Xj , zp ; 



and 



y ( = rj + 8| • s{ZA} mod q. 

Step 2 - Generation of the Group Signature 

The user j receives the signature (y ( , ej, zp and con- 
firms the following equations: 



e. = h(a^ i} - MZAlp 1 mod p, z.) 



{»,} 



and 



Zj = (a*'* . (v{ZA})~ r mod p) 



{ej) 



J modp 



(Q); 



()■ 



and 
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The user (member) j makes his signature on the 
message m(j) based on the following formula; and then 
the user j selects a secret random number(j) and carries 
out the following equations given below. 

Since Xj = aW < (v{ZA})t°i> mod p holds in the above 
equations, aW - (v{ZA})N mod p will be denoted as Xj 
in the following equations: 



55 



x(]) = (Xj) {r0)1 mod p; 



eG) = hfx(j), m(j)); 



yQ) = r(j) + e(j) ■ s j mod °*- 



Next, the signer j sends the parameter ((yj, ej, Zj), 
((y(i). oQ)). m (i)» 38 his signature to an intended person 
(procedure (3) and arrow 403 in Fig. 9). 

Step 3 - Verification of the Signature 

Firstly, the verifier confirms the above equation (8) 
and the following equation (procedure (4) in Fig. 4): 
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If the above is correct, the verifier can concl ude that 
the signature on message m(j) is the group signature 
signed by a member who is permitted by the authority. 

Methods to Reveal the Signer of the Group Signa- 
ture 

Revealing the signer ol the group signature will be 
realized by following two methods respectively. In the 
following description, the group signature is ((©*, y* ZjJ, 
e(k), y (k), m), the signer is the user (member) k and the 
random number which corresponds to generated by 
the authority ZA is r k . 

Method 1 - Revealing by the Authority 
Because the authority can record the random 
number which is used for generating the certificate, the 
authority can also distinguish which member corre- 
sponds to z k in the certificate when a group signature 
was given. Therefore, the authority can recognize that 
the signer is member K and that the random number is 

The authority proves that the secret key corre- 
sponding to the public key of the certifier is the secret 
key corresponding to the public key of the member. That 
is, the authority proves following equation by using Zero 
Knowledge Proof protocol for proving Ihe equality of dis- 
crete logarithms: 

l0 9vk z k = , °9 x ic 

In this equation, x k = aW • (v,) mod p. 

Also, the public key of the member is registered to- 
gether with the identity on the public database. 

Zero Knowledge Proof protocol for proving for log^ 
z k = log a x will be described next. 
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(1 ) The prover P sends v k to the verifier V. 

(2) The verifier V selects random numbers r1 and 
r2 Irom Zq* and carries out the equation ch = (v^)' 1 

- a' 2 . The verifier V sends its result to the prover P. s 

(3) The prover P selects a random number t (from 
Zq*)' and carries out the equations h 1 = ch • a 1 and 
h2 = (hi The prover P then sends the results to 
the verifier V. 

(4) The verifier V sends (r1 , r2) to the prover R 

(5) The prover P confirms ch = (v,^ » a* 2 , and sends 
t to the verifier V. 

(6) The verifier V confirms hi = (v k ) rt . aC 12 ** and 
h2 = (z k )rt .(x k )<r2 + t} . 

The above protocol is one example; and other pro- 
tocols may also be used In carrying out a proof. 

Method 2 - Disavowal by Each of the Members 

Another proof can be carried out, by means of which 
each member proves that the group signature to be ex- 
amined was not generated by one of the members. 

The member j (prover P) proves to the verifier V that 
the secret key corresponding to Z|< used for the group 
signature is different from the member's secret key (Sj - 
tog^ Zj) . That is, the equation (log^ Vj * tog^ is proven 
by using the following protocol PL. 

The protocol PL is executed under the assumption 
that both the prover P and verifier V know p, q, a, v,, Vj, 
z k and Xk = afrtf • (v^d mod p and have agreed on a 
parameter d. 

In this protocol PL, BC(r, R) is referred to as the bit- 
commitment to bit r using random input R. 

If someone selects 0 or 1, and computes the bit- 
commitment with a random input R and sends the com- 
mitment to another person, then that other person can 
not know which is selected (0 or 1 ) unless the other per- 
son obtains the random number R. Once a bit is com- 
mitted, the commitment can not be changed. An exam- 
ple of this is described in an article entitled "Practical 
and Provably Secure Release of a Secret and Exchange 
of a Signature" by LB. Damgard, Proc. of EUROCRYPT 
93, pp. 207-17 (1994). 

Zero knowledge proof protocol for proving tog^ Vj * 
log xk z k will be described next. 

In the following description, "mod p n will be omitted 
at times, to simplify the equations; however, one skilled 
in the art will understand that modular arithmetic is used, 
where it is used. 

(1 ) The verifier V selects a random number e (from 
Zq*) and B from (0, 1 ), carries outthe following equa- 
tions: 



if B = 0, (M,r2) = (a e ,(v j ) e ); 

and 

ifB = 1 ) (r1,r2) = ((x k ) e ,(z k ) e ). 

The result of this operation is then sent to the 
prover R 

(2) The prover P confirms whether M Ml s r? (mod 
p) is invalid or not If It is invalid, then r is 1 . ? On the 
other hand, i1 it is valid, then r is 0. 
Accordingly, the prover P sends g - BC(r.R) to the 
verifier V 

(3) The verifier V sends e to the prover R 

(4) The prover P confirms that (r1 ,r2) = (a 6 , (v^) or 
{r1 ,r2) = ((xj^, (Zfc) 6 ). If neither is invalid, the prover 
P makes ans = stop. If either Is valid then ans = R. 
Then the prover P sends the ans to the verifier V. 

(5) If ans = stop, the verifier V quits the protocol. If 
ans = R, the verifier V confirms that BCKB.R) = g. 

(6) The procedure (1 ) ~ (5) is repeated d times. 

The above-described protocol is only one example; 
and other protocols may also be used to establish the 
proof. 

The receiver who has the group signature to be ex- 
amined may use either method 1 or method 2 at his op- 
tion. Initially, the receiver may use method 1 automati- 
cally, and then use method 2 if the authority does not 
execute method 1 well. Alternatively, the receiver may 
initially use method 2, and then use method 1 if any 
problem occurs (lor example, the receiver can not con- 
tact with any members). 

If there are a plurality o1 groups, a plurality of au- 
thorities corresponding, respectively, to each group may 
be established. Also, one authority may represent all 
groups. In any case, the above method will be able to 
carry out the group signature method. 

In the above described embodiment, the authority, 
the specifier, the verifier, the group member and the re- 
ceiver will be able to carry out the above procedures on 
any apparatus, such as a personal computer, which is 
capable o1 processing information and which is capable 
of communicating. Also, communications among the 
signer, the specifier, the authority, the member, the ver- 
ifier, and the receiver may be carried out by using the 
service of an anonymous communication system such 
as the Internet. 

An information communication system having a dig- 
ital signature according to the embodiment employs an 
information operating apparatus, as above descrbed, 
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rfl) = i*\) {m ™> d PI 



1- 
and 



1(1) = (h(m(|)) + a, • r(|)) • k(j) { " 1) mod (p-1). 



for carrying out each of the above steps, and a commu- 
nication network, in this embodiment, the network is not 
limited to the Internet; a so-called intranet can be used 
in place of the Internet. 

Also in this embodiment, the anonymous public key 
certificate is sent by the authority directly to the member. 
In other situations, the receiver and the member may 
access the public database in which the certificate is 
registered. 

As mentioned above, this embodiment makes use 
of the new group signature system in which each mem- 
ber can prove whether or not the signature being used 
is their own signature. 

Furthermore, in this system, the data length of the 
group's public key is not proportional to number ol mem- 
bers. For example, on the assumption thai a prime 
number is 688 bits, a security parameter t of a one way 
hash function Is 70 bits and the public key size of the 
group signature (according to Park) is 1676 bits. 

On the other hand, the public key size of the above 
described embodiment for the same group is 1108 bits 
(about 34% decrease from Park's data size). 

Therefore, a system based on this embodiment can 
be used at low cost, since there is a reduction of the 
amount of data to be dealt with as well as flexibility for 
revealing the signer. 

In the embodiment, the authority can reveal the 
signer of the signature; and each member can prove dis- 
avowal. Therefore, if one of them does not work well, 
the remainder can be availabe to reveal the signer of 
the signature. So as a whole, the system based on this 
embodiment will be convenient lor use, and will be flex- 
ible. 

Furthermore, it is easy to add a new member to the 
group; and accordingly it is easy to manage the system. 
The Seventh Embodiment 

The seventh embodiment will now be described. A 
description of those parts of this embodiment which are 
the same as h the previous embod'ment will be omitted. 

In the previous embodiment the anonymous public 
key certificate correspond rig to Zj was generated based 
on the Schnorr signalu re scheme. And p.q^, Zj was pub- 
lic key, Sj was secret key and the Schnorr signature 
scheme was applied to the message m(j). 

However, in this embodiment, EIQamal Cryptogra- 
phy, instead of the Schnorr signature scheme, will be 
applied to the message m(j). 

The features o1 this embodiment which are different 
from those ol the previous embodiment are described 
below. 

Step 2 - Generation of the Group Signature 



Next, the signer j sends the parameter (ty ej), Zj, r 
10 (j), f (|), m(])) as his signature to an intended person. 

Step 3 - Verification of the Signature . 

The verifier confirms the following equations in or- 

is der 

e j = h(a J . (v{ZAJ 1 modp.Zj); 

and 

(^^-(z^-rfl^tmodp). 

II the above is correct, the verifier can conclude that the 
signature tor the message mfl) was signed by the signer 

j- 

The Eighth Embodiment 

The eighth embodiment will be described next. In 
the following, a description of those parts ol this embod- 
iment which are the same as in the previous embodi- 
ment will be omitted. 

In the previous embodiment, the anonymous public 
key certificate ol Zj was generated based on the Schnorr 
signature scheme or EIGamal cryptography; and the 
Schnorr signature scheme or EIGamal cryptography 
was applied to the message mrj). 

However, in this embodiment, DSA (Digital Signa- 
ture Algorithm), which is proposed as the digital signa- 
ture standard at NIST (National Institute of Standard and 
Technology), Is used for the message m(J). 

In this embodiment, p, q, Xj, Zj represent the public 
key and Sj represents the secret key. 

Step 2 - Generation of the Group Signature 

The signer j makes his signature on a message m 
so (j) based on the following formula; and the signer | se- 
lects a secret random number k(j) from Zq* and carries 
oul the following equations: 
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The signer j makes his signature on a message m _ ((x,)^ 1 mod p) mod q 

(J) based on the following formula; and he selects a se- ss u ' "V 

cret random number kfj) from Z£ according to the fol- 
lowing equations: 
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Step 1 - Issue of Certificates to Members 



t(i) = Ml*))™ ■ (h(mO)> * s i " r Q)» * 

In a concrete example, the authority selects a secret 
Next, the signer j sends the parameter ((y j( e$ t zj), random number rj Irom 1or the member and carries 
(rQ). f 0"). as his signature to a predetermined per- s out the following equations: 
son. 

C'|) . 

Step 3 - Verification of the Signature x i " a Pl 

The verifier confirms the following equation: *<> {r,} 

*j = (Vj) 1 mod p; 

Oj = h(a -(v^) modp, z^. m ^ 

Then, the verifier cofrfirms 0 < rfl) < q and 0 < f(j) < « = + W ^ ^ 

q, and carries out the following equations: J M za -j' x i' 

In this embodiment, the parameter (Xj, ffj, Zj) is the 
w = (1 (i)y mod q; certificate of the public key. 



20 



u1 - h(m(j)) • wmod q; 



u2 = rtj) . w mod q; 2S 



Step 2 - Verification of the Certification 

The right of the certification of public key is proved 
by confirming the following equations: 



.•'■'-hd'W*-* 



v= (fx/" 1 * . (z^ mod p) mod q; # 



and 



and the verifier confirms v = r(j). If the above equations Zj = ( x j) mod p. 
are correct, the receiver can conclude that the signature 

for the message m(j) was signed by the member who The Tenth Embodiment 

was permitted by the authority. as The tenth errrbodimentol this invention is described 

The Ninth Embodiment below. 

The ninth embodiment of this invention is described A description of those parts of this embodiment 

below. which are the same as in the previous embodiment, is 

A description of those parts of this embodiment omitted, 

which are the same as in the previous embodiment, is 40 in this embodiment, above mentioned DSA is used 

omitted. for generating a certificate of a pub lb key for z t instead 

In this embodiment, the above mentioned EIGamal of the Schnorr signature scheme and EIGamal cryptog- 

cryptography is used to generating an anonymous pub- raphy methods. 

lie key certificate of Zj instead of the Schnorr signature Nevertheless, it should be noted that the following 

scheme. 45 equations are valid: 

Nevertheless, it should be noted that the following 

equations are valid: iu) 

Xj = a modp; 

<']} , 

Xj = a modp; so and 

and {'j) , 

Zj = (Vj) modp. 

Zj - (Vj) mod p. 55 step 1 - Issue of Certificates to Members 

In a concrete example, the authority selects a secret 
random number r s from Zq£ for the member j and carries 
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out the following equations: 

Xj = a 1 mod p; 

Zj = (v,) modp; 

and 

^(rjP.thfz^.XjJnnodq. 

Also, In this embodiment, the parameter (xj, Sj, Zj) Is 
the certificate ol the public key. 

Step 12- Verification 

The authenticity of the certification of the public key 
is verified by confirming 0<Xj<p, 0<fj<q and the 
tallowing equations: 

w^f/^modq; 
u1 = h(zp - w mod q; 
u2=X| -wmodq; 

and 

v = a f " 1} .(v ai ) w, modp 1 



ing module, the recognition module, the changing mod- 
ule, or base generating module, the public key generat- 
ing module, the signature generating module and the 
confirmation module Is stored In a medium shown as 

5 Figs. 11 and 12. 

An apparatus, such as a computer, reads out the 
software program from the medium and executes steps 
based on the software program or the software program 
within the operating system of the apparatus. 

10 Moreover, the software program which is read out 
from the medium, may be written in the memory, of an 
expansion card or an expansion unit connected/with the 
computer, in such case, the CPU of the expansion card 
or the expansion unit may execute the above mentioned 

is steps based on the software program. 

As seen from the above, this embodiment employs 
the group signature method as well as the new group 
signature system based on the group signature method 
In which the data length of the public key of the group Is 

20 not linear in relation to the number of members. There- 
fore, a system based on the embodiment is convenient, 
and is of minimal cost, because the size of the data to 
be dealt with is reduced and because the system 
achieves flexibility for revealing the signer. 

25 In this embodiment, the authority can reveal the 
signer of the signature; and each member can prove dis- 
avowal. Thus, as a whole, a system based on this em- 
bodiment is convenient and flexible. Furthermore, this 
embodiment permits a group signature and a new group 

30 signature system based on the group signature method 
in which it Is easy to add a new member to the group. 
Therefore, management of this system is easy. 



3S claims 



1 . A digital signature method comprising: 

(a) a first step lor generating public information 
40 based on a common public parameter and an 

uncommon secret parameter; 

(b) a second step for converting the common 
public parameter and the public information for 
use in obtaining a signature for a message; 

45 (c) a third step for generating the signature, 

based on a common public parameter and the 
uncommon secret parameter; and 
(d) a fourth step for confirming the relationship 
between the signature and the message based 

so on the converted public information and the 

converted common public parameter. 



and v = Xj Is confirmed. 

The authenticity of certificate of publ ic key is verified 
by confirming the following equation: 

{*ii 

z j = (x j ) modp. 

Another Embodiment 

This invention can be used not only for a system 
which is comprised of several kinds of apparatuses, for 
example, a host computer, a reader, a printer and an 
interface, but also an apparatus such as a fax machine 
or a copying machine, etc. 

In the previously described embodiments, each 
step for a process may be executed by a software pro- 
gram stored in some medium such as a floppy disk, a 
hard disk, an optical disc, a magnetic optical disc, a CD- 
ROM, a CD-R, a magnetic tape, a non-volatile memory, 
a ROM, etc. 

In such a case, the information of at least the issued 
information generating module, the signature generat- 



2. A digital signature method according to claim 1, 
wherein the secret parameter is not calculated from 

55 the common public parameter and the public infor- 
mation. 

3. Adigital signature method according to any preced- 
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ing claim, wherein the common public parameter in 
said third step Is the common public parameter 
which is converted in said second step. 

4. A digital signature method according to any o1 5 
claims 1 and 2, wherein the common public param- 
eter and the public irrfonmation in said third step are 
the common public parameter and the public infor- 
mation, which are converted in said second step. 

5. A digital signature method according to any of 
claims 1 and 2, wherein said second step further 
comprises converting the common public parame- 
ter and the public information into a new common 
public parameter and new public information, and 
wherein said third step is performed based on the 
new common public parameter, the new public in- 
forma iton and the uncommon secret parameter. 

6. An information communication system comprising: 

(a) means for generating a digital signature 
based on a digital signature method; and 

(b) means for confirming whether or not a given 
signature was generated by said generating 
means. 

7. An information communication system according to 
claim G, wherein said digital signature method is 
based on a discrete logarithm. 

8. An information communication system according to 
claim 7, wherein said digital signature method is 
one ol the Schnorr signature method, the EIGamal 
signature method and the DSA signature method. 

9. An information communication system comprising: 

(a) specifying means for specifying a signature 
generating means by using a first signature 
method; 

(b) obtaining means for obtaining a base and a 
public key by using a second signature method; 
and 

(c) signature generating means for generating 
a first digital signature by using said base and 
said public key based on the first signature 
method, said signature generating means hav- 
ing a secret key corresponding to said public 
key generated by said obtaining means, 

wherein said digital signature verifies said signature 
generating means. 

10. An information communication means according to 
claim 9, further comprising: 

(d) second signature generating means for 
generating a second digital signature on a message 



by using said base and said public key generated 
by said obtaining means. 

11. An inforrraticn communication system according to 
claim 10, further comprising: 

(e) first confirming means for confirming the au- 
thenticity of said first digital signature by using 
said public key of said first digital signature; 

(f) second confirming means for confirming the 
authenticity of said second digital signature by 
using the base and the public key; and 

(g) judgment means for judging whether sub- 
jective digital signature is generated by said 
signature generating means specified by spec- 
ifying means based on the results obtained by 
said first and said second confirming means. 

12. An inforn^tkan communication system accordingto 
claim 11 , whereh said first digital signature method 
is one of a Schnorr signature method, an EIGamal 
signature method and a DSA signature method. 

13. An information communication system comprising: 

(a) means for generating afirst digital signature 
based on a first digital sigiature method; 

(b) means for generating a second digital sig- 
nature by using said first digital signature based 
on a second digital signature method; and 

(c) a means for confirming the authenticity of 
said second digital signature by using said first 
digital signature and said second digital signa- 
ture. 

1 4. An information comm un ication system acoordhg to 
claim 13, wherein said first digital signature gener- 
ating means functions to specify one of said gener- 
ating means as said second generating means by 
generating said first digital signature. 

1 5. An information comm unication system according to 
claim 14, wherein said confirming means operates 
to confirm whether said second digital signature is 
generated by said second generating means as 
specified by said first digital signature. 

16. A computer readable memory having following pro- 
gram codes: 

(a) a first program code for generating public 
information based on a common public param- 
eter and an uncommon secret parameter, 

(b) a second program code 1or converting the 
common public parameter and public informa- 
tion; 

(c) a third program code 1or generating a sig- 
nature for a message, based on the common 
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public parameter, the public information, and 
the uncommon secret parameter; and 
(d) a fourth program code for confirming the re- 
lationship between the signature and the mes- 
sage based on the converted public information 
and the converted common public parameter. 

17. A computer readable memory according to claim 
1 6, wherein said second program code is furtherlor 
converting the common public parameter and the 
public information Into a new common public pa- 
rameter and new public information, and wherein 
said third program code is further for generating the 
signature based on the new common public param- 
eter, the new public informaiton and the uncommon 
secret parameter. 

ia A computer readable memory storing: 

(a) a specifying program code for specifying a 
signature generating means by using a first sig- 
nature method; 

(b) a program obtaining code for obtaining a 
base and a public key by using a second sig- 
nature method; and 

(c) asignature generating program code, which 
has a secret key corresponding to the public 
key generated by said program obtaining code, 
for generating a first digital signature by using 
the base and the public key based on the first 
signature method, 

wherein said digital signature verifies said signature 
generating program code. 

19. A digital signature method comprising: 

(a) a step for generating a digital signature by 
a group member; 

(b) a step for confirming, by using a public key 
of said group, whether or not said digital signa- 
ture is generated by a group member; and 

(c) a step for revealing a member who gener- 
ated said digital signature. 

20. A digital signature method according to claim 1 9, 
wherein the size of said public key is not proportion- 
al to the number of said group members. 

21. A digital signature method according to claim 19, 
wherein said confirming step confirms said digital 
signature without a third party being able to confirm 
who the group member is who generated the sig- 
nature. 

22. A digital signature method according to claim 1 9, 
wherein said digital signature method is based upon 
the discrete logarithm problem. 



23. A digital signature method according 1o claim 22, 
wherein said digital signature is generated based 
on one of the Schnorr signature method, the EIGa- 
mal signature method and the DSA signature met h- 

s od. 

24. A digital signature method according to claim 19, 
wherein said confirming step confirms said digital 
signature with a special member of said group. 

10 

25. A digital signature method according to claim 19, 
wherein said revealing step is executed ^y each 
member who generates said digital signature. 

is 26. A computer readable memory having following pro- 
gram codes: 

(a) a program code for generating a digital sig- 
nature by a group member; 
20 (b) a program code for confirming whether or 

not said digital signature is generated by group 
member, by using a public key of said group; 
and 

(c) a prog ram code for revealing a member who 
2S generates said digital signature. 

27. A digital signature method in which the result of an 
exponential operation with a first base and a secret 
key of a member as an exponent is a first public key 
30 of said member, said method comprising: 



(a) a first step for generating a second base by 
carrying out an exponential operation with a 
first base and a random number as an expo- 

35 nent; 

(b) a second step for generating a second pub- 
lic key by carrying out an exponential operation 
with a first public key and said random number 
as an exponent; 

40 (c) a third step for generating a first digital sig- 

nature on a message by using a secret key of 
user; and 

(d) a fourth step for confirming the authenticity 
of said first digital signature by using said sec- 
45 ond base and said second public key. 

28. A digital signature method according to claim 27, 
wherein said digital signature is based on the diffi- 
culty for computing a discrete logarithm. 

so 

29. A digital signature method according to claim 27, 
wherein said digital signature is generated based 
on one of the Schnorr signature method, the EIGa- 
mal method and the DSA signature method. 

55 

30. A digital signature method in which Ihe result of an 
exponential operation with a first base and a secret 
key of a member as an exponent is a first public key 
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o1 said member, said method comprising: 

(a) a first step lor generating a second base by 
carrying out an exponential operation with a 
first base and a random number as an expo- s 
nent; 

(b) a second step for generating a second pub- 
lic key by carrying out an exponential operation 
with a first public key and said random number 

as an exponent; 10 

(c) a third step for generating a first digital sig- 
nature tor optional information by using a secret 
key of user; 

(d) a fourth step for confirming the authenticity 

of said first digital signature by using said sec- 15 
ond base and said second public key; 

(e) a fifth step for generating a second digital 
signature on said second public key by a spe- 
cial user; and 

(f) a sixth step for revealing a signer based on 20 
a third signature which Is generated based on 
said first digital signature and said second dig- 
ital signature. 

31. A computer readable memory having program 25 
codes for information communication in which the 
result of an exponential operation with a first base 
and a secret key of member as exponent Is a first 
public key of a member, said program codes includ- 
ing: 

(a) a first program code for generating a second 
base by carrying out an exponential operation 
with a first base and a random number as an 
exponent; 3S 

(b) a second program code for generating a 
second public key by carrying out an exponen- 
tial operation with a first public key and said ran- 
dom number as an exponent; 

(c) a third program code for generating a first *o 
digital signature for optional information by us- 
ing the secret key of a user; 

(d) a fourth program code for confirming the au- 
thenticity of said first digital signature by using 
said second base and said second public key; 45 

(e) a fifth program code for generating a second 
digital signature on said second public key by 
a special user; and 

(f) a program-code for revealing a signer based 

on a third signature which is generated based so 
on said first digital signature and said second 
digital signature. 
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FIG.1 

(PRIOR ART) 



(1): RANDOM NUMBER r 

x s a* mod p 
zj s Vf mod p 

ej = h(x, zj) 

yj s r+ej • si mod q 




(2) : «V|. ©I. *>. *j) 




FHJBUC INFORMATION 



p,q,a,Vbh 



PUBLIC DATABASE 



i's public-key Is vi. 
j a public-key Is vj. 
k*8 public-key is v* 

<(y|.ei.*j}.*j) 



(3) : ((yj, ej, X|), zj f (e.y.xlXmG)^ 




(5) : ZKP for DL (z, f xj) = DL (x2, x1 ) 

(4) : ej = h(z), art • mod p) 

705 e = h(n«,x2) 

x2 = aV ■ vj* mod p 
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FIG.2 



PUBLIC INFORMATION 




(4) : ej = h(aYi • vi<J mod p, zj) 
X] = an • v^i mod p 
e(j) = htyrtD . 2^0) mod p,mO)) 
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FIG.3 
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FIG.5 
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FIG.6 
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FIG.7 
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FIG.9 
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FIG .10 
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FIG.12 
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